-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlhar...@oplink.net wrote: > On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: > > Also netstat (issued from your laptop) gives insight. For example > > 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are > > root (or sudo, of course), the extra option -p tells you which process is > > "at the other side" listening. > > > > Note that the dhcp client itself (which you need to get an IP address to > > take part in your customer's network) puts you already at some risk, > > depending on how it's configured. > > Here is the output from the laptop: > > # netstat -lntup > Active Internet connections (only servers) > Prot Rec Snd Local Address Foreign State PID/Program name > -Q -Q Address
Quite a mouthful. Other answers very insightful, especially the proposals of blocking the relevant ports via firewall (I'd try the opposite approach though: block every connection from outside except those you explicitly want) > tcp 0 0 0.0.0.0:9999 0.0.0.0:* LIS 561/inetd As others noted: what's inetd doing on 9999? Do have a look at its config files (somewhere in /etc/inetd.conf). > tcp 0 0 0.0.0.0:111 0.0.0.0:* LIS 530/rpcbind > tcp 0 0 0.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd RPC is typically needed for NFS. If you don't want to mount your laptop's file systems from other machines, it's probably superfluous. > tcp 0 0 0.0.0.0:22 0.0.0.0:* LIS 568/sshd Common wisdom is to keep that (but to secure it properly, by disabling root logins and possibly passwrd logins). Perhaps you can ssh into your laptop should the UI become unresponsive for some reason (e.g. X botches the graphics card but you still have some running programs you'd want to finalize in an orderly mode). > tcp 0 0 127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd Are you using your laptop as a print server? If not, the cups-client package might be enough. > tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIS 675/postgres > tcp 0 0 127.0.0.1:25 0.0.0.0:* LIS 1063/exim4 Database server, mail server. What are they doing? For postgres, you could configure it to just serve over an UNIX domain socket, if the only applications around connect locally. Your call. For exim4 (mail server)... depends on your mail setup. > tcp 0 0 127.0.0.1:2628 0.0.0.0:* LIS 599/0 Uh -- what is *this*? A process called "0"? Looks really strange to me. > tcp6 0 0 :::111 :::* LIS 530/rpcbind > tcp6 0 0 :::38930 :::* LIS 540/rpc.statd > tcp6 0 0 :::22 :::* LIS 568/sshd > tcp6 0 0 ::1:631 :::* LIS 1248/cupsd > tcp6 0 0 ::1:5432 :::* LIS 675/postgres > tcp6 0 0 ::1:25 :::* LIS 1063/exim4 Those are IPV6 variants of some of the above. > udp 0 0 0.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r Avahi: this is a service discovery service: your laptop is broadcasting to the network "hey, here's a [printer, database, whatnot]. Wanna play with me? That's one of the things I ban from my computer. > udp 0 0 0.0.0.0:631 0.0.0.0:* 647/cups-browsed Here cups is announcing its availability. Down with it :-) > udp 0 0 0.0.0.0:689 0.0.0.0:* 530/rpcbind > udp 0 0 127.0.0.1:716 0.0.0.0:* 540/rpc.statd > udp 0 0 0.0.0.0:57106 0.0.0.0:* 540/rpc.statd > udp 0 0 0.0.0.0:111 0.0.0.0:* 530/rpcbind See above. > udp 0 0 192.168.1.99:123 0.0.0.0:* 664/ntpd > udp 0 0 127.0.0.1:123 0.0.0.0:* 664/ntpd > udp 0 0 0.0.0.0:123 0.0.0.0:* 664/ntpd Providing time services? > udp 0 0 0.0.0.0:5353 0.0.0.0:* 612/avahi-daemon:r See above. > udp6 0 0 :::689 :::* 530/rpcbind > udp6 0 0 :::43913 :::* 540/rpc.statd > udp6 0 0 :::111 :::* 530/rpcbind > udp6 0 0 fe80::ba70:f4ff:fe2:123 :::* 664/ntpd > udp6 0 0 ::1:123 :::* 664/ntpd > udp6 0 0 :::123 :::* 664/ntpd > udp6 0 0 :::5353 :::* 612/avahi-daemon:r > udp6 0 0 :::44274 :::* 612/avahi-daemon:r IPV6 variants of some of the above. > Regrettably, the formatting of the output does not consider the need to > include the output in the body of an e-mail, so editing was required to > remove excess spaces so as to prevent every line from being wrapped. I feel your pain :-) I'd disable/uninstall many of those. OTOH, you might need them in other settings, so firewalling them out might be the right choice (and a chance to learn iptables :-) regards - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlXiHJIACgkQBcgs9XrR2kZI7QCfXp6SyrA+eaB2fL9rrUvJfH95 focAnjeEbn4i6rbEg0gYDynrkixh/46l =SnzJ -----END PGP SIGNATURE-----